Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp203085lqo;
        Tue, 7 May 2024 17:59:38 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUP5ElTVF9DDKDxx4t1RcbHQpHn1hgspp+RkSJXuImF6mVOz1QnjUQyieyC1Lf73WG7u1jF/CVA31uVdjIUFKO7mo6n87eiHz1rl428WA==
X-Google-Smtp-Source: AGHT+IG+hQ+KSmwITMZDQDTE84jVqOi5Q/waPrig3LFub4pWnZMDo6d2ZYXAsO0YLdKluAz0X2D5
X-Received: by 2002:a05:6a20:3ca4:b0:1a7:5fbf:3774 with SMTP id adf61e73a8af0-1afc8dc86abmr1966855637.55.1715129978497;
        Tue, 07 May 2024 17:59:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715129978; cv=pass;
        d=google.com; s=arc-20160816;
        b=M4DBpYU/MLTzKmg/VtyRZ/tgf6ufdDAsnBjmqzki5djpyoEg4xpyBCcN7mtL5Xm8ri
         3iEV/xRf8BHT0jxxedQ3LdF6aAqvs7qmHnF6Cda0Z7cAhlRSk2taa4j+2R8FkRN0P/sU
         ETEr49hdAp6vGZ39IgAp79JA1Aaa64fq8tX/qM/0ums9KpB9GQ7zVVdgbK5XOJxewCi6
         KFOhW3xZS/dhgx21ANfAmfTSpK1zy/wzPeUmCleOt9u6ozHtGWIrwz/xDPVx+5WdDpwB
         IY0Mq16z0G91TNd+cMH6x/HAvWFwY+t+ZemDgZzuILw2QVTpY6eOUpHv5iC6FkD4ll+8
         yLXw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:dkim-signature:date;
        bh=CKJj04qCaWozA5OZiCOs2YLUCi6uSucwcFVp9F+GYz0=;
        fh=ZbcJgOIj31NLWRSZZioNngDXdsUDhUAxt7sbcVNd43s=;
        b=00sQHh6czUjX3IIr9be/Vu3FYEeGCWWlpOkvV0k1oi5AzR81ErBR9q+xt5RhKv+tJc
         RtlyGxbU1WBr2gqsbTJ39ylny/I494zO1NggkQofwv7AfFhs7r/TdsF2uKMOlkAGTJYN
         HMjJT8OUzO9t7aXI+O2hxxUi4l4k5R/1Re6DtdFHTYKzGEZ/xWcz9tQ/YfzTolNgYX4f
         XBRg/5Tq9hyEtalYVR6H8xKFawy0nneFAKycw5MoKlfNy/JCsCosdbwf/J7nrkLaM3Ka
         iun6NUbeCYO8PwD/D3UzqRBx4PsoJxejTqc46xZXXMPCHJ3FKYSOrG3p7O/Yk2a1/jNS
         HgFA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=hYozxBpU;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Return-Path: <linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id h4-20020a170902f54400b001e9661a15bbsi12058655plf.210.2024.05.07.17.59.38
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 May 2024 17:59:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=hYozxBpU;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172575-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0D0D2285F1D
	for <linux.lists.archive@gmail.com>; Wed,  8 May 2024 00:59:34 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3A06D3D9E;
	Wed,  8 May 2024 00:59:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="hYozxBpU"
Received: from out-183.mta0.migadu.com (out-183.mta0.migadu.com [91.218.175.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F21C621
	for <linux-kernel@vger.kernel.org>; Wed,  8 May 2024 00:59:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.183
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715129965; cv=none; b=lsk8fhbkJaD/Cg+d38yu+xjPyJ3Ru0eoUzctweSzX3yUp+o7AFJT5ZpOQU53JV4iuYeGcBcKWT/WMMFsPsRNneLuLg8sj7uKDLUVRMzxiqYsPLaNqulRjJfwtfch59TGSYlqZZb/gRB0A3ldvjYvk0FfkBRjaRgrMcN0M+JrSCE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715129965; c=relaxed/simple;
	bh=HPKo0kjA4VMAEdS3jgdkrkVKvRNlcwe01fWxC6/gNfQ=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=KkeWsIJI5hkrBfExuybShANYRVEVflAHECaspfA+szTvfm0NZqLH5pslanZE7drjuoehbgvjlWGG7tqk3P162fnFTsHHKADp3eTa2NaSqmVWBHVU3dz7ju+QdVBMCGvzCsnQUo5J/c95gG2zLa228arv32riEJxOUSn4PfHq4Fw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=hYozxBpU; arc=none smtp.client-ip=91.218.175.183
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Date: Tue, 7 May 2024 20:59:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1715129960;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=CKJj04qCaWozA5OZiCOs2YLUCi6uSucwcFVp9F+GYz0=;
	b=hYozxBpUi13Ihp6MHSC3zJItNcCVYBGiy5gWX8Cs0A6y+Himp+jshK97g07kCOl3TFq88i
	Zt4sN7Z/Mdhg79dg+hAEgGzsQHKwbgZ8KNdJh1Vy9rVJwc1MZRjoKopdTONURw2+FmmZKI
	m2QLFJSDTFZEtSm+HF1ArKHYMD8FvDs=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Kent Overstreet <kent.overstreet@linux.dev>
To: Edward Adam Davis <eadavis@qq.com>
Cc: bfoster@redhat.com, linux-bcachefs@vger.kernel.org, 
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, 
	syzbot+c48865e11e7e893ec4ab@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] bcachefs: fix oob in bch2_sb_clean_to_text
Message-ID: <7chwa5h2y2eotafxfnapxn754n7y3zpze2sm5dif3zyx7hkxcc@2zu6pskc7fbo>
References: <x73mcz4gjzdmwlynj426sq34zj232wr2z2xjbjc4tkcdbfpegb@hr55sh6pn7ol>
 <tencent_6086EB12C2C654899D6EE16EF28C8727EC06@qq.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <tencent_6086EB12C2C654899D6EE16EF28C8727EC06@qq.com>
X-Migadu-Flow: FLOW_OUT

On Wed, May 08, 2024 at 08:49:39AM +0800, Edward Adam Davis wrote:
> On Tue, 7 May 2024 10:14:22 -0400, Kent Overstreet wrote:
> > > When got too small clean field, entry will never equal vstruct_end(&clean->field),
> > > the dead loop resulted in out of bounds access.
> > >
> > > Fixes: 12bf93a429c9 ("bcachefs: Add .to_text() methods for all superblock sections")
> > > Fixes: a37ad1a3aba9 ("bcachefs: sb-clean.c")
> > > Reported-and-tested-by: syzbot+c48865e11e7e893ec4ab@syzkaller.appspotmail.com
> > > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > 
> > I've already got a patch up for this - the validation was missing as
> > well.
> > 
> > commit f39055220f6f98a180e3503fe05bbf9921c425c8
> > Author: Kent Overstreet <kent.overstreet@linux.dev>
> > Date:   Sun May 5 22:28:00 2024 -0400
> > 
> >     bcachefs: Add missing validation for superblock section clean
> > 
> >     We were forgetting to check for jset entries that overrun the end of the
> >     section - both in validate and to_text(); to_text() needs to be safe for
> >     types that fail to validate.
> > 
> >     Reported-by: syzbot+c48865e11e7e893ec4ab@syzkaller.appspotmail.com
> >     Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
> > 
> > diff --git a/fs/bcachefs/sb-clean.c b/fs/bcachefs/sb-clean.c
> > index 35ca3f138de6..194e55b11137 100644
> > --- a/fs/bcachefs/sb-clean.c
> > +++ b/fs/bcachefs/sb-clean.c
> > @@ -278,6 +278,17 @@ static int bch2_sb_clean_validate(struct bch_sb *sb,
> >  		return -BCH_ERR_invalid_sb_clean;
> >  	}
> > 
> > +	for (struct jset_entry *entry = clean->start;
> > +	     entry != vstruct_end(&clean->field);
> > +	     entry = vstruct_next(entry)) {
> > +		if ((void *) vstruct_next(entry) > vstruct_end(&clean->field)) {
> > +			prt_str(err, "entry type ");
> > +			bch2_prt_jset_entry_type(err, le16_to_cpu(entry->type));
> > +			prt_str(err, " overruns end of section");
> > +			return -BCH_ERR_invalid_sb_clean;
> > +		}
> > +	}
> > +
> The original judgment here is sufficient, there is no need to add this section of inspection.

No, we need to be able to print things that failed to validate so that
we see what went wrong.